Full_Name: George Tzanetis
Version: 2.4.23 stable
OS: Red Hat Enterprise 5.5
URL:
Submission from: (NULL) (62.169.213.126)
I have built openldap 2.4.23 with the back-ndb in 4 machines.
I created the slapd.conf as follows:
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
#######################################################################
# NDB database definitions
#######################################################################
#NDB database defintions
database ndb
suffix "dc=example,dc=gr"
rootdn "cn=root,dc=example,dc=gr"
rootpw secret
dbconnect 192.168.6.11
dbhost 192.168.6.12
dbport 3306
dbname openldap
dbuser ldapUser
dbpass "1234"
dbconnections 3
dbsocket /tmp/mysql.sock
attrblob description
index uid
#######################################################################
# Monitor Database definitions
#######################################################################
database monitor
loglevel 5
My problem is that I can authenticate to the ldap with any password for the
cn=root,dc=example,dc=gr (rootdn) user, as long as I specify a password.
To make it clearer, all the following ldapsearches work:
ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w secret1 -D
"cn=root,dc=example,dc=gr"
ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w secret -D
"cn=root,dc=example,dc=gr"
ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w sec -D
"cn=root,dc=example,dc=gr"
ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w " " -D
"cn=root,dc=example,dc=gr"
If I do not specify a password, (i.e. -w flag is omitted) I get the message:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
In addition if I don input the correct rootdn user, I get the message:
ldap_bind: Invalid credentials (49).
This behavior exists in all instances of openldap with ndb as back-end.
I did some more testing, and I built openldap with the bdb and ndb backends. The
issue appears only to the suffix that is stored in the ndb back-end and not to
the bdb back-end, so there must be something wrong with the bind operation of
the slapd-ndb.
Finally, I would like to state that with the slapd-ndb, all the ldapsearches /
modifications / deletions are performed correctly, even if the rootpw password
is wrong.

Yes it is fixed,
But in your fix, only the rootpw password works. If we have the rootdn also=
as a dn stored inside the ldap tree then openldap does not tries to bind t=
o the dn of the tree if the rootpw is incorrect
if we use the same code segment of bind.cpp written for back-bdb which is:
/* allow noauth binds */
switch ( be_rootdn_bind( op, NULL ) ) {
case LDAP_SUCCESS:
/* frontend will send result */
return rs->sr_err;
default:
break;
}
And the rootpw is not matched, then slapd will continue to search the ldap =
tree and if it finds a dn and its userPassword matches, then it authenticat=
es. If an appropriate dn / password is not found in the tree, then it throu=
ghs the invalid credentials error.
Maybe the bind-dbd way is more correct?

Should be fine now. The whole thing originated from the fact that
be_rootdn_bind() was passed a NULL SlapReply* without handling results
accordingly. Thanks, p.
> Yes it is fixed,
>
> But in your fix, only the rootpw password works. If we have the rootdn
> also as a dn stored inside the ldap tree then openldap does not tries to
> bind to the dn of the tree if the rootpw is incorrect
>
> if we use the same code segment of bind.cpp written for back-bdb which is:
>
> /* allow noauth binds */
> switch ( be_rootdn_bind( op, NULL ) ) {
> case LDAP_SUCCESS:
> /* frontend will send result */
> return rs->sr_err;
> default:
> break;
> }
> And the rootpw is not matched, then slapd will continue to search the ldap
> tree and if it finds a dn and its userPassword matches, then it
> authenticates. If an appropriate dn / password is not found in the tree,
> then it throughs the invalid credentials error.
>
> Maybe the bind-dbd way is more correct?
>
>